Re: 2 security concerns: remote init, and disabling CVSROOT/passwd

Excuse the cross-post. Development discussions are more appropriately
sent to bug-cvs. Please delete address@hidden from any replies.

Sylvain Beucler wrote:
[summary of remote `cvs init' exploit]

Currently the command is disabled for remote access, using a
quick'n'dirty patch ("if (server_active) exit(EXIT_FAILURE)").
What would you recommend? Are there legitimate use for remote 'init'?
I wouldn't like users creating their private repositories at Savannah
either.

No, there really aren't any legitimate uses for `cvs init' via remote
access. Anyone who is creating a new CVS repository or upgrading a CVS
server to use a new CVS executable presumably has local access to the
machine anyhow.

I've recommended something like your `hack' to customers in the past,
but I've never actually installed the change into CVS itself until a few
minutes ago (in stable - the merge to 1.12.x is still running through
the regression suite). It should be incorporated into the 1.11.23 &
1.12.14 releases.

Since we have numerous repositories, we hit command line limits for
pserver --allow-root (2700 * 2 * 20 / 1024 = 105KB, not counting
aliases). Besides, it is not really easy to change the 'pserver'
command line in xinetd each time a new project is created.
To overcome this, we used Vincent Caron's patch
(https://mail.gna.org/public/savane-dev/2005-08/msg00042.html).

For starters, I've heard of an --allow-root-file patch which allows all
the roots to be specified in a file with only the file name being
specified on the command line. The only reference I found to it in a
quick google search was in a savane-dev archive, however, and there were
some broken links so I couldn't figure out how to get the attachment:

Currently there's a hard-coded patch at Savannah which prevent parsing
CVSROOT/passwd for pserver; the root-owned pserver is also ran behind
the firewall, as it's only used internaly, and only for web
repositories (the public pserver is ran as user nobody). Of course
that's a pretty brute way to handle the situation.

[snip]

- Permit the CVS administrator to disable CVSROOT/passwd
authentication with a pserver command-line switch (a cracker might
still switch to an unsecure PAM scheme, but that's less
straightforward).
- Or more generaly, specify the allowed authentication scheme in the
pserver command line (this would be easier to secure) - overriding
CVSROOT/config.

Could you send me the patch you mention? I should be able to adapt it
to a command-line switch pretty easily.

I pulled out and attached both patches from that issue from a backup of
the old Issuezilla.

I don't know if you still want the --allow-root-regexp patch merged into
1.12.x, but I found some discussion in the archives and it sounds like
we were waiting on documentation and test cases for the change.